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CoronAppColombia application technical 
analysis - Synthesis report 


Bogotá, April 17, 2020 


This report is based on research conducted primarily upon versions 1.2.29, 1.2.30, 1.2.31, 
and 1.2.32 of the CoronApp mobile phone application. During the investigation, new 
versions were released every 3 or 4 days. Release notes detailing changes made in each 
versión are not available. 

A previous versión of this report was sent to those government entities involved in the 
development and implementation of this application, as well as COLCERT (Colombian 
Computer Emergency Response Team). Several changes were implemented by the 
corresponding entities, taking into account some of the report's findings. As of the date of 
this publication, the current versión of the application is 1.2.36. Some comments in italics 
correspond to the changes that have been made since then. 

Although they have been corrected, the details of the vulnerabilities that we have found 
are not published here. 

The goal of this exercise is to contribute to an improvement in digital security and 
privacy. 
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O. Methodology 


ln addition to examining the available public information about CoronApp, which appears 
in the application itself and in the Google Play Store, the following non-intrusive methods 
were used: 

• static analysis of permissions and trackers included in CoronApp's source code 
using Exodus Privacy 1 and ClassyShark 3xodus 2 \ 

• static analysis of the app's accessible source code using Apktool 3 and analysis of 
the app's manifest (Android Manifest); 

• analysis of the data flows generated and received by the application when installed 
on a phone running Android 7 using Wireshark 4 . Tests inelude sending data through 
the registration and health report forms; 

• passive traffic analysis using virtual machines and Burp Suite 5 ; Burp is a traffic 
analysis tool that uses an HTTP proxy to allow client-side data packets to be 
analyzed, including data that goes through an SSL (HTTPS). 

Note 1: A deeper analysis has still not been possible to implement using the Burp tool 
since the last two analyzed versions of the app do not work on virtual machines 
(apparently they only work on computers with arm64 processors). 

Note 2: Before carrying out the analyzes that involved filling out forms, a warning email 
was sent to several people related with CoronApp's management (working with the 
Instituto Nacional de Salud -INS-, the Agencia Nacional Digital -AND- and the Ministry of 
ICT -MINTIC-, see Annex [0]) looking to ensure that they would identify these forms and 
would not take that information into account in their respective analyzes and the alerts 
generated by their system. 

1 httDs://exodus-Drivacv. eu. ora/en/ 

2 https://f-droid. ora/en/Dackaaes/com. oF2oks. classvshark3xodus/ 

3 httDs://¡botDeaches.aithub.¡o/ADktool/ 

4 httDs://www. wireshark.ora/ To make this capture, we generated a WIFI access point from the 
Computer that was running the WireShark program. The cellphone using the CoronApp 
application accessed the Internet through this WIFI access point. 

5 https://portswigger.net/ 
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1. Data collected by the application 


The application collects the following data (see screenshots in Annex [1]): 


Type of data 

Data 

Personal data from the registration 

form 

Ñame and súmame 

ID type and number 

Cellphone number 

Gender 

Date of birth 

Country, 

State, 

City of residence 

Email 

Password 

Sensitive personal data from 
reporting and registration forms 

Ethnic origin 

Health report: 1 feel fine / 1 feel sick 

Symptoms 

Contact with people with symptoms 

Medical care received 

Previous travel to other countries 

Data that may be collected by the 
application in a "not visible" way 

Phone contacts 

Device location (systematically sent by the app 6 ) 
Nearby WIFI networks 

Information available via Bluetooth, particularly 
about other nearby Bluetooth devices 


The last part is related to the broad amount of authorizations requested by the 
application. 


In the latest versions, the data collected by the registration form was reduced to ñame 
and súmame, ID type and number, phone, and cellphone number. 

6 The GPS coordinates appear in the captures made with WireShark. 
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2. Application permissions and passive data 
collection 

2.1 Application permissions 


This application requests a huge amount of permissions 7 . The following is the list that 
appears when Exodus Privacy is used. These coincide with the application manifest, see 
annex [2]): 

There are several permissions that can be intrusive in terms of privacy: 

• Device location access: the analysis of WireShark logs shows that the application 
regularly sends the GPS coordinates of the device; 

• access to contacts; 

• access to the information of available WIFI networks detected by the device; 

• access to Bluetooth devices that the phone can detect. 

Also, after installing the application, it runs automatically at startup 
("RECEIVE_BOOT_COMPLETED" permission). 

It is important to note that versión 1.2.29 of the application requested 14 permissions. 
These permissions have been expanded to 19 from versión 1.2.30 and are maintained in 
the following analyzed versions. Three Bluetooth-related permissions are new and we 
couldn't find an explanation or information about it in the application's documentation. 

As shown in the screenshot below, the BLUETOOTH_ADMIN permission can be quite 
intrusive as it can detect nearby devices (those with Bluetooth function activated). 

In the latest versión of the app, 16 permissions are requested. Access to phone contacts 
has been removed. Permissions related to device location, Bluetooth, and nearby WIFI 
networks remain. 


7 Most are not explicitly requested to the user during installation or use. 
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2.2 A curious fact: the inclusión of the HypeLabs library in the 
latest versions of the application 


The inclusión of the software development kit (SDK) called "Hypelabs" 8 is shown in the 
Android manifest of the application. HypeLabs is a company that develops this type of 
SDK to give applications the ability to create local "mesh" networks using the 
communication features available on the phone such as Bluetooth and WiFi. This may be 
related to the new app permissions we just mentioned. 

CoronaApp introduces this SDK in versión 1.2.30. The few changes introduced in versión 
1.2.31 are related to this same library. This change raises questions since in the published 
documentation of this application a feature that requires this functionality is never 
mentioned. However, this library can allow someone to deduce the relative location of a 
person compared with another, in combination with the use of personal data collected by 
the application. The ethical and legal conclusions of this type of surveillance should be 
reviewed if this hypothesis were to be confirmed. 

It is important to note that it has not been concluded that this is the use that will be given 
to the capabilities of this library. In fact, the application was not making use of this library 
until the latest versión. 

Further analysis is necessary to produce a conclusive answer to this issue. 

Regarding the mentioned permissions as well as the inclusión of this library, the National 
Digital Agency answered the following: 

"The application's request for geolocation, WiFi and Bluetooth networks permissions, as 
well as the Processing of said data, is necessary to identify the location of users and any 
cióse contad they may have with people around them since this will allow locating 

8 https://hypelabs.io/ 
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citizens with potential symptoms, possi ble sources, and chains of COVID-19 contagión, 
allowing the National Institute of Health to collect the necessary and timely 'Information 
to act diligently in the face ofthe great risks of spread identified in the population." 


3. Application s data transfer security 

3.1 An unsafe data transfer up to versión 1.2.31 


Until versión 1.2.31, after analyzing the data-flow generated by the application from the 
phone (Wireshark) or from an emulation environment (Burp) showed that personal 
registration data was transferred without security ñor encryption, using the HTTP 9 
protocol. Data were transferred to a dedicated subdomain of the Government's National 
Digital Agency ("apicovid.and.gov.co"), hosted on an server of Amazon Web Service 
located in the State of Washington 10 (see Annex [3]). This web server is a Nginx server 
versión 1.17.9 (latest versión). 

The analysis also shows that the GPS coordinates of the device are regularly sent to this 
same server using the same protocol. 

Regarding the transfer of health data (reports), data packets were not possible to identify 
with certainty because the information is encoded since these fields were checkboxes. 
However, since when transferring this data the application communicated only using the 
HTTP protocol (towards a server with the same IP address), it can be deduced - almost 
certainly - that this data transfer was not secure either. 

As of versión 1.2.32 (from March 31) the use of the HTTP protocol was replaced by the 
secure HTTPS protocol (HTTP encapsulated in the SSL / TLS encrypted protocol). A new 
subdomain was created ("apicovid2.and.gov.co") and linked with a new web server * 11 , with 
which the application currently communicates. 

9 HyperText Transfer Protocol. The transfer is done using an unconventional port (5000) but this 
does not change the lack of protocol security. 

10 The web server has the IP address: 52.87.234.39. 

11 The new server has the IP address: 34.199.57.23. It is also hosted by Amazon. 
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This is a major improvement in terms of the application's security as data is now 
transferred using an encrypted channel. 

However, this vulnerability persists on the devices of people who have not updated the 
application since the oíd server is still active and data continúes to be transferred to it in 
an unsafe manner. in addition, complementary analyzes conducted by the NGO Access 
Now showed that the new server continued to respond to HTTP requests with the same 
HTTP protocol. 

This issue was corrected and in the latest versions the possibility for the application to 
communicate with the server using the HTTP protocol has definitively been removed. 


3.2 A Serious Vulnerability issue in the Application's 
Authentication method 


[Although the vulnerability issue mentioned in this section has been apparently 
fixed, we have removed some details in order not to facilítate attacks. The goal 
of this exercise is to contribute to an improvement in digital security and 
privacy.] 

This vulnerability involves an authentication flaw that could allow an attacker to access 
personal data of users registered in the application's backend server (with which the 
application communicates). 

The backend server used by Coronapp_colombia does not exert sufficient access control 
to resources that should be restricted for each user, allowing an attacker to have the 
ability to access user resources without the need for any authentication. This vulnerability 
could lead to a possible listing of huge amounts of sensitive data from users registered in 
the application. 
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ln a package review done in the application flow, it was found that some packages that 
should inelude an authentication token do not inelude it, and yet the API sends responses 
that correspond to actions that should normally carry authentication. 


This issue is found in the server that had been used until versión 1.2.31 of the application 
(server using HTTP without SSL / TLS, domain "apicovid.and.gov.co" and IP address: 
52.87.234.39 ") and that had apparently been replaced in versión 1.2.32 as mentioned 
( server using HTTP with SSL / TLS, domain "apicovid2.and.gov.co" and IP address: 
34.199.57.23). However, the original server hasn't been put out of operation so this 
vulnerability issue persists. 


[...] 


With this in mind, other application "endpoints" (URLs) are likely to have the same 
problem. [...] 

which would facilítate automating an attack to extract information. 

We think that this vulnerability issue can be reproduced by making a request to the API 
hosted at: [...] 


In order to evalúate our findings, we asked the support line for security incidents from 
NGO Access Now to review our diagnosis of this vulnerability issue and they agree with 
our analysis. 
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4. Trackers in the application 


The analysis of trackers found directly in the application code shows us the following (the 
same ones appear in versión 1.2.31): 

The consequence of using these trackers is that connections with Google and Facebook 
servers can be observed in the flow captures (Wireshark). This generates a direct user 
trace by these third parties through the use of an application that processes sensitive 
data. 

It should also be noted that because the purpose of this application is to provide 
information, it is connected to the websites of the Presidency, the National Institute of 
Health, and the Ministry of Health. Connections to various third-party servers are shown, 
including advertising platforms: 

However, the presence of the latter is not directly due to the application but to the 
external Internet sites from which they extract the information. 

/n the latest versión of the app, there are two trackers (Google CrashLytics and Google 
Firebase Analytics). Facebook's trackers have been removed. 
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ANNEXES - References 


[O] Preliminary email sent to INS, AND and MINTIC 


Subject: Analysis of the CoronApp application 

Date: Sat, 28 Mar 2020 15:35:43 -0500 

From: XXXXXX - Karisma <XXXXXXX@karisma.org.co> 

Organization: Fundación Karisma 

To: XXX@ins.gov.co, XXX@mintic.gov.co, XXX@and.gov.co, XXX@mintic.gov.co 
CC: XXX XXX <XXXX@karisma.org.co>, XXX XXX<XXXXX@karisma.org.co> 

Good afternoon, 

Karisma Foundation is a civil society organization, founded in 2003 and located in Bogotá, 
that seeks to respond to the opportunities and threats that arise in the context of 
"technology for development" for the exercise of human rights. Karisma carries out 
activism with múltiple perspectives - legal and technological - in coalitions with local, 
regional and international partners. 

For several years we have been evaluating security and privacy aspects of some web 
pages and applications associated with procedures and Services of public interest. These 
analyzes have been reported to the Ministry of Technology (MINTIC), which on several 
occasions has provided us with means of communication with those teams or individuáis 
responsible for the operation of the analyzed platforms. We hope to receive this kind of 
support in this occasion. 

Right now we are conducting a non-intrusive analysis of the CoronApp application, 
promoted by the National Institute of FHealth, in terms of privacy and digital security. Part 
of our evaluation ineludes the analysis of the data traffic generated by the forms that 
collect personal information, and for this reason, we want to inform you that you will find 
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records in the ríame of Karisma, associated with the email XXX@karisma.org. co. This data 
is not real and should not be taken into account for health reports or alert generation. 


Once we have the full report of our findings on the CoronApp application, we will send it 
to you in the first place. 


If you have any questions or concerns about the subject, you can contact us by answering 
this email. We look forward to answering any questions. 

Sincerely, 


Karisma Foundation 


[1] CoronApp application data collection forms 


(completed for analysis) 


[2] Application permissions. App manifest (Android Manifest) 


(Android Manifest, .xml file made by developers to describe the application technically) 


[3] Sending Registration data using the HTTP protocol 
(versión 1.2.30) 


Here you can see an HTTP packet transferring the form data. The unusual use of port 
5000 causes Wireshark to not recognize the HTTP protocol, but its contení shows that it is 
(POST / user / create HTTP /l.l) and shows the data filled in the registration form: 
firstname: Fundación Karisma, lastname: TestNoTenerEncuenta, document number 
1234567890, phone: 3123456789, email: test@karisma.org. co, gender: femenino e 
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incluso el password: Azerty78. In the part that follows, all the other data entered in the 
form is shown. 


Data is transferred to the domain "apicovid.and.gov.co" on a server with IP address 
52.87.234.39. 


[4] This Annex has been removed. 


In order not to facilítate attacks, even though we know that the reported vulnerability 
issue is currently corrected, we will not disclose the details of this annex. The goal of this 
exercise is to contribute to an improvement in digital security and privacy. 


[5] Wireshark captures Extract, app versión 1 . 2 . 31 , executed 
on an Android 7 phone 


In order not to facilítate attacks, even though we know that the reported vulnerability is 
currently corrected, a section of this annex (the request) has been removed. However, we 
leave a portion of the server response that shows the personal datas that it was possible 
to access. 


[6] Burp flow extract (app versión 1.2.29) 


Only part of the original Annex (server response) is shown. 


12 


